Use of reversible crypto to store passwords long considered a no-no.

New features designed to make it easier to log into Windows 8 accounts allow encrypted passwords to be converted into plaintext in some cases, security researchers said.

The features, which allow people to sign in with a picture-based password and four-digit personal identification number, are intended to provide a less-cumbersome alternative to entering a password each time users want to access their account. Once people have set up a password for an account, they can use pictures or PINs to log in from then on.

But the added convenience comes at a cost. According to security experts who have tested the features in developer pre-releases of the upcoming Microsoft operating system, the features cause Windows 8 to store passwords using encryption that can be reversed. Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives. The latest version of Windows Password Recovery, a password-cracking package sold by Russia-based Passcape Software, claims to do just that.

To be sure, decrypting the underlying authentication password that corresponds to a PIN or picture isn't possible in many situations. That's because it's stored in a "system vault" that's protected by the Windows 8 Data Protection API using the Advanced Encryption Standard algorithm. The key that unlocks the password, however, is easily extracted by users who have administrative control of the computer, allowing them to recover the plaintext passwords of any accounts that use the alternative login features. Security experts said that represents an increased risk over the use of cryptographic hashes to store passwords, because hashes are impossible to mathematically reverse.

"The single biggest risk I see is the likelihood of password reuse because people are really bad about choosing good passwords and they tend to reuse what they have over and over again," said security researcher Adam Caudill. "You can use this in a targeted attack against a person and take the knowledge that you gain there to pivot... attacking online services, anything from Dropbox accounts to Facebook. There's a fairly decent chance they're going to use the same password or a very similar password."

There are cases where it's possible for attackers to gain access to administrative accounts on lost or stolen laptops, and in those cases the encrypted passwords could be easily decrypted, said Per Thorsheim, a security adviser for a large company headquartered in Norway and an organizer of the upcoming Passwords^12 conference in Oslo. In cases where an unattended computer is left in sleep or hibernation modes, for example, passwords are sometimes not required to reactivate them.

The use of reversible encryption is an infinitely better alternative to plaintext for storing passwords, but security experts have long regarded it as inferior to password hashes, which are practically impossible to crack when users choose truly secure passwords. While the new features aren't exactly a security vulnerability, they would seem to go against Microsoft's Defense in Depth mantra.

A Microsoft spokeswoman declined to respond to questions about whether company officials think the features should be used by corporate customers and in environments where security is key. Posts in user forums such as this one seem to suggest that Picture Password no longer works when logging into corporate or government networks, so it's possible Microsoft has already recognized the diminished security of such conveniences.

Promoted Comments

"Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives."

At the point they already have physical control and admin access, reversible cryptography hardly seems your biggest problem

In terms of access to that computer, that's true. But, as the article points out, many (most?) people re-use their passwords, and recovering the passwords in plaintext could therefore unlock all sorts of online accounts.

Honestly, and this is for MS to really resolve... two factor authentication? It's not even available for their Outlook/Live/Hotmail properties, and I'm appalled by that considering it is there for MSDN and Xbox.

If they had two factor authentication with Windows 8, you'd be able to get much more secure in your work regardless. Any time you're off your normal ISP, you'd have to enter the two factor auth. I don't imagine it's that difficult to put in, considering it's there for MSDN/Xbox.

2 factor would seem like a fairly straight forward implementation, but it would be slightly more cumbersome for most customers, people who really don't care about other people gaining access. It seems like with windows 8 and all the integration, Microsoft is trying to push an extremely user friendly product to compete directly with mac, and that includes loosening some security to get less educated users into their product.

The key that unlocks the password, however, is easily extracted by users who have administrative control of the computer, allowing them to recover the plaintext passwords of any accounts that use the alternative login features

If you have physical access to the system, you can simply look at the touchscreen to determine how people slide their fingers to unlock the system (obviously not on a non-touch PC, but this is Windows 8 we're talking about).

I seem to recall an Ars article about this that they could still extract the picture unlock even after the user used the device for an extended time.

If you give me admistrator access to your PC (or Mac), and even if you're running some Linux distro, I have a much simpler way of getting your password: install a keylogger. Because, you know, as the administrator I can do that.

"Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives."

At the point they already have physical control and admin access, reversible cryptography hardly seems your biggest problem

In terms of access to that computer, that's true. But, as the article points out, many (most?) people re-use their passwords, and recovering the passwords in plaintext could therefore unlock all sorts of online accounts.

"Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives."

At the point they already have physical control and admin access, reversible cryptography hardly seems your biggest problem

Came in to post this. In this situation, you're already boned.

Seems like the new fashion, at least on Android and now with Win8, is to give you more options for securing your device (Android seems to have the most: no password, pattern password, face unlock, pin), and letting the user choose the tradeoff between security and convenience.

If you have physical access to the system, you can simply look at the touchscreen to determine how people slide their fingers to unlock the system (obviously not on a non-touch PC, but this is Windows 8 we're talking about).

While this may be possible, with Picture Password you also have to get the order of the gestures right, and then there's the other smudges from using the touch screen for other stuff.

If you're going to have an alternate login mechanism, and the system requires the primary, you need to bridge from the alternate to the primary. It really doesn't matter if that bridge is your actual password, or a hashed copy, or a special super secret handshake - whatever it is has to be trusted by the primary login method. Hashing doesn't change anything - you present the "trusted" hash and it's the same as presenting the original password. The only thing solved by hashing here would be not potentially exposing a password that is used in other places (which is pointed out in the article), but there are other ways to get that if you have physical administrative access without going through this nonsense. Heck a hardware keylogger doesn't need administrative access, only physical access. Or you can crack the hash if you have that (easy enough to get and crack in the Windows case). This might make it slightly easier, but fundamentally the issue hasn't really changed.

As far as two factor goes, Windows has supported two-factor for well over a decade, natively. It's not a new thing. Microsoft internally uses smartcards heavily for pretty much all access of consequence. But two-factor is a huge PITA for normal consumers to deal with. "All I want to do is unlock my computer and I have to go get my cell phone to look up a code? Windows is so stupid. Where's my iPad?"

While I would like to see the protection of passwords stored under this framework improved, I don't see this as anything new or particularly threatening. Physical access has long essentially meant that you have or can gain administrative access to a system and from there the local account passwords.

From what I understand, the new picture password feature uses the same APIs as the Biometric Framework introduced in Windows 7 for fingerprint readers so the underlying security is not particularly new for Windows 8.

The main risk for this comes if a user is allowed to use the framework for domain logins because then their network password could be stored in this less secure fashion which, if extracted, would potentially allow access to much more than the compromised system. Use of the framework can be blocked for domain logins, which is the default, and the setting is also enforceable via Group Policy so that is probably why users report it doesn't work for corporate/govt. networks. I don't think you'll see much beyond the traditional smart card/password logins for those environments for a little while longer.

This can also be mitigated by the use of full disk encryption (BitLocker, TrueCrypt, etc.).

Honestly, who cares? In the field of password security I feel like there are much, MUCH bigger issues that need to be addressed before worrying about an OS account crack that requires physical access to the box.

I mean, if someone malicious has physical access to your computer, you're just completely SOL anyways. If you're re-using passwords left and right and someone has access to your machine they can gain entry to your accounts with or without this vulnerability. This really seems like a complete non-issue.

Physical access only gives you everything on the computer you have. Being able to reverse the user's password might give you further access to their other accounts.

Really there is no excuse for this. There is no reason for the 'Validiate by other then password' process to need the password. It should just log you in, not decode your password and pass it to the process that logs you in.

If some has physical access, full disk encryption is the only solution. I don't consider any passwords in Windows as a good way to secure my computer. They just block people from using my account, but against physical access and a lot of time they are useless.

"Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives."

At the point they already have physical control and admin access, reversible cryptography hardly seems your biggest problem

In terms of access to that computer, that's true. But, as the article points out, many (most?) people re-use their passwords, and recovering the passwords in plaintext could therefore unlock all sorts of online accounts.

Yes, but then I could also install a keylogger and get all of your passwords for anything thing that you access from your computer (even if you don't reuse your passwords).

Of course if someon has stolen your computer, then it's still a concern. However, they first need to log onto your machine as an administrator.

If you're going to have an alternate login mechanism, and the system requires the primary, you need to bridge from the alternate to the primary. It really doesn't matter if that bridge is your actual password, or a hashed copy, or a special super secret handshake - whatever it is has to be trusted by the primary login method. Hashing doesn't change anything - you present the "trusted" hash and it's the same as presenting the original password.

I don't understand the basic premise here. *Why* do you need to use the primary method at all? Why can't the picture password put you right through to a logged-in state without essentially pretending to enter a password to the primary login mechanism? Why can't it directly do whatever the primary login mechanism does?

This applies here but also to other alternative login options, like auto-login.

2 factor would seem like a fairly straight forward implementation, but it would be slightly more cumbersome for most customers, people who really don't care about other people gaining access. It seems like with windows 8 and all the integration, Microsoft is trying to push an extremely user friendly product to compete directly with mac, and that includes loosening some security to get less educated users into their product.

I don't think they intended that the two-factor authentication would be required, but would be an option. We have it in my organization, but it's only used for logging in to servers. For logging into a desktop just a standard username and password is fine.

I'm not sure with your last sentence whether you are trolling or just uninformed.

- Building an extremely user friendly product is always good.

- They didn't have to loosen security to implement the extra features, and they've been increasing security over the last few Windows releases while also introducing more Mac-like features

- Less educated users? Demographic studies show Mac users are better educated and make more money. I work at a university and our students and profs buy Macs in much higher numbers than the general public. Among our technical staff Mac and Linux are the main desktops we use these days, Windows is far from the majority.

What I think will be the biggest security issue for Windows login on Windows 8 will be the Microsoft Account, or in other word your Hotmail, Live or Outlook account and password.

Microsoft encourage people to do so on Windows 8 for full integration with Mail, Calendar, Windows Store, Skydrive, etc. But remembering that without doing anything in particular I've got my Hotmail account hacked twice in 10 years if my Windows installation use the same username/password than my Hotmail I would not feel secure.

I prefer creating a regular Windows account and then putting my Hotmail info wherever I need it like Mail program and Windows Store but the average user won't think about this, it's cool to have settings shared between PCs!

"Posts in user forums such as this one seem to suggest that Picture Password no longer works when logging into corporate or government networks, so it's possible Microsoft has already recognized the diminished security of such conveniences."

These conveniences are really for consumers who will use Windows 8 and Windows RT on mobile devices.

In corporate domains, I'm would be shocked if Group Policy could not be used to limit the use of these alternative log-on options, just as it is used to enforce password complexity and expiration policies. If this is the case, I am sure Microsoft recognized this requirement from the beginning.

I'm not sure with your last sentence whether you are trolling or just uninformed.

- Building an extremely user friendly product is always good.

- They didn't have to loosen security to implement the extra features, and they've been increasing security over the last few Windows releases while also introducing more Mac-like features

- Less educated users? Demographic studies show Mac users are better educated and make more money. I work at a university and our students and profs buy Macs in much higher numbers than the general public. Among our technical staff Mac and Linux are the main desktops we use these days, Windows is far from the majority.

Sorry, I didn't mean to come off as either, what I was trying to say is the average user won't care about 2 factor authentication because computer security is just not a big issue to most people right now. I get enough complaints at work when people have to change their password every month and a half, that I know when those users go home, they either have no password, or one they have been using for years, and that would be the average user. Higher end users care more about security and are well aware of the risks, but I was trying to say the majority of people buying this product simply don't care and want an easy as possible experience to log on, or they are uninformed and like to think they care by implementing some sort of protection, but it has to be simple and quick or they will be turned off by it.

I see your point here but I believe the article is trying to state the difference between reversible encryption and hashing. If you know the key used in a reversible encryption scenario, you can decrypt whatever was encrypted. This differs from hashing in that even if you know it is using the MD5 hashing algorithm, you can't decrypt the hash - all you can do is calculate the hashes of possible passwords until you get a hit.

Think of it this way:The strength of a password when using reversible encryption lies in the strength of the encryption key.The strength of a password when using hashing lies in the strength of the password itself.*

In a reversible encryption scenario, it really doesn't matter how strong you make your password since the true safeguard is the key used to encrypt it (which you don't control)

What I think will be the biggest security issue for Windows login on Windows 8 will be the Microsoft Account, or in other word your Hotmail, Live or Outlook account and password.

Microsoft encourage people to do so on Windows 8 for full integration with Mail, Calendar, Windows Store, Skydrive, etc. But remembering that without doing anything in particular I've got my Hotmail account hacked twice in 10 years if my Windows installation use the same username/password than my Hotmail I would not feel secure.

I prefer creating a regular Windows account and then putting my Hotmail info wherever I need it like Mail program and Windows Store but the average user won't think about this, it's cool to have settings shared between PCs!

Are you trying to suggest that there is some backdoor hack into the Live ID (now Microsoft Account) system and that is how your Hotmail account was broken into? Microsoft Accounts are used across nearly all (if not all) Microsoft online services including Xbox, Volume Licensing, Certifications, Partners, Office 365 etc. It's not just your Hotmail/Outlook.com account.

If there was some way of obtaining your password that didn't require fault of the user somehow (used on another compromised service, keylogger, phishing, etc.) I would think it would have been widely publicized by now and promptly corrected. I don't personally recall there ever being such an instance, though I could be forgetting something.

You should take extra care to guard your Microsoft Account password given what it is tied to in Windows 8. It is also worth noting in that context that sync'ing your settings to a PC you haven't chosen to trust does require you to verify that you trust the new computer which requires two-factor authentication (I get a text message with a PIN sent to my cell).

In corporate domains, I'm would be shocked if Group Policy could not be used to limit the use of these alternative log-on options, just as it is used to enforce password complexity and expiration policies. If this is the case, I am sure Microsoft recognized this requirement from the beginning.

I think it's a really bad idea to ask new PC owners to log into their computers with their email addresses. I was surprised and annoyed by that when I installed the Windows 8 preview. It's easy enough to skip and create a regular local user account, but novice users may not see that option, much less understand what a user account is, or what the ramifications could be of tying their new computer to an email address.

Sure, this makes it easier to get your email and calendar, etc, but why would you want every single task performed on your computer to be associated with your email address? Talk about data mining and tracking opportunities!

If you give me admistrator access to your PC (or Mac), and even if you're running some Linux distro, I have a much simpler way of getting your password: install a keylogger. Because, you know, as the administrator I can do that.

True. That is why smart people use something like TrueCrypt if they are really worried about their computer's security.

"Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives."

At the point they already have physical control and admin access, reversible cryptography hardly seems your biggest problem

In terms of access to that computer, that's true. But, as the article points out, many (most?) people re-use their passwords, and recovering the passwords in plaintext could therefore unlock all sorts of online accounts.

Passwords, maybe, but not usernames.

Then again, physical + admin = access to the users webbrowser, which likely just saves all of their passwords (or at least usernames) for them.

Bad MS...but is it really a valid issue to be concerned with? I mean, at the point where it can be exploited right now, it's sort of a moot point.

"Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives."

At the point they already have physical control and admin access, reversible cryptography hardly seems your biggest problem

In terms of access to that computer, that's true. But, as the article points out, many (most?) people re-use their passwords, and recovering the passwords in plaintext could therefore unlock all sorts of online accounts.

Yes, but then I could also install a keylogger and get all of your passwords for anything thing that you access from your computer (even if you don't reuse your passwords).

Of course if someon has stolen your computer, then it's still a concern. However, they first need to log onto your machine as an administrator.

The keylogger solution seems to come up in every thread about exposing passwords as plaintext, and every time they overlook the issues with it. Installing a keylogger means you have to wait for logs, get the logs out, then parse them; this vulnerability grants immediate access to the passwords without any of those steps. Installing a keylogger means you're installing software and thus leaving a trail amd potential for discovery; this exploit would not, making it much more low-impact and greatly reducing the chance of discovery. Just because there are other methods to achieve a given goal doesn't mean that those different methods lack advantages and disadvantages which differentiate them from each other.

Security is one of the most difficult puzzles to solve. Your average consumer wants to be secure, but doesn't want to have to work too hard for it. If they have to do too much, they will simply opt for no security at all for convenience sake. In a work environment people are more willing to put up with more involved log in processes simply because they have no other choice.

The other security headache is using the same, or similar passwords for everything. This is a huge problem. I'm guilty of it as well. With every website wanting passwords, and a person not wanting to have to remember which of the hundred passwords they used on that site, what do you do? You use the same one, so you don't have to memorize. Worse, I know people who have password spreadsheets. The master password programs are flawed in that if that password is compromised all of them are.

I don't have a perfect solution. I wish I did. Then I could retire rich.

I think it's a really bad idea to ask new PC owners to log into their computers with their email addresses. I was surprised and annoyed by that when I installed the Windows 8 preview. It's easy enough to skip and create a regular local user account, but novice users may not see that option, much less understand what a user account is, or what the ramifications could be of tying their new computer to an email address.

Sure, this makes it easier to get your email and calendar, etc, but why would you want every single task performed on your computer to be associated with your email address? Talk about data mining and tracking opportunities!

Does anybody else have a problem with this?

I know, if only they told us what information they were collecting and what they used it for.

I don't personally have a problem with it and enjoy the new features it enables. It's not just about making things easier to get to on your computer, but sync'ing your settings and information across multiple PCs you have chosen to trust.

Is this any different than Keychain on the Mac? We had a very similar "revelation" a few months ago that Keychain can reveal your passwords if you have root access, but that was not really a surprise to me (it's been that way since OS X 10.2 or so).

"Attackers who gain physical control of a computer as well as administrator access can extract the key that recovers the plaintext password of each account that uses the log-on alternatives."

At the point they already have physical control and admin access, reversible cryptography hardly seems your biggest problem

In terms of access to that computer, that's true. But, as the article points out, many (most?) people re-use their passwords, and recovering the passwords in plaintext could therefore unlock all sorts of online accounts.

When you're in front of the compromised machine, open the desk drawer and you'll probably find a notebook or piece of paper with the usernames and passwords for all their accounts.

I keep hoping I might see something that makes me want to use Win 8. Instead almost every article I see is negative in some or all aspects.

Everything about this seems like MS has really missed on what people need and what they are looking for in terms of features and instead just went with, "Let's go with a nifty theme, focus on touchscreen integration and throw out everything that doesn't let us develop it quickly. BTW we should probably figure out how we're going to get OEMs to shift their entire product lines to touchscreen devices."

Again, we're still talking about a human element that can't be corrected with any level of security.

That level of human element is uneducated users. The consumerization of IT and technology has lead to this, as the devices get less and less expensive and provide more and more ability, you're going to have a larger and less educated audience of users.

I cringed at one recently who after doing a wipe of the entire system OS and reinstallation asked me to reinstall PC Cleaners Pro on the machine (thats a virus for those that aren't aware) so that his system would run fast then.

Basically they believe what they are told, and they haven't come to realize that this world, is full of people that will burn them at the stake if it makes them $1.

No amount of password protection, locks or keys will get by that blindingly obvious but so often never reported fact of life right now.

I recommend reading the article behind the first link (picture-based password). It is quite informative, and shows that the MS designers did do an analysis of issues such as the effect of smudges.

The main drawback of using gestures as sign-in method is that the entered gestures must be compared with the stored correct gestures. Hence, access to the system gives you access to the (unencrypted) stored gestures. This would be like storing passwords in plain text on the computer so you can compare them with entered passwords, something I hope nobody does. Unlike text-based passwords, you cannot easily compare gestures after encryption or hashing, because the gestures aren't exact enough.

As for the danger that reversible encryption poses in the context of password reuse: any web-based service that has a password recovery feature (as opposed to a password reset feature) must, at best, store your password with reversible encryption. And they do that on a web-accessible server which quite likely is in some shared data center; even the server itself may be shared with others. Your Windows 8 tablet is probably not the weakest link there.

2 factor would seem like a fairly straight forward implementation, but it would be slightly more cumbersome for most customers, people who really don't care about other people gaining access. It seems like with windows 8 and all the integration, Microsoft is trying to push an extremely user friendly product to compete directly with mac, and that includes loosening some security to get less educated users into their product.

Here's my idea for 2 factor authentication. Pair the PC with a bluetooth device and configure it so the PC will only log in if it sees the BT device. It could be your phone, or a key chain in your pocket - anything that you can assure yourself won't be kept in the bag with your table or laptop. Now if someone grabs - or even tries to access - your PC while out of range of the bluetooth device, access is blocked.

Edit: This isn't an original idea, but I'm not aware of any existing products that do it.